What would be a good analogue with which to describe Message Authentication Codes to a person who has little to no understanding of cryptography?

For instance, a vault is a reasonable analogue for symmetric authenticated encryption: anyone with the key can open the vault and inspect, alter, or replace the contents. Without the key, you can't know or manipulate what's inside. Similarly, a royal wax seal is an okay one for digital signatures: anyone can validate that a message originated from the person with that particular stamp with assurances that the message hasn't been altered since the envelope was sealed.

Is there a good physical example of something with similar semantics to MACs?

Huh? $\:$ I always thought of a vault as the analogue for commitments. $\;\;\;$
–
Ricky DemerJul 9 '13 at 4:02

3

Since a MAC can only be checked when you know the secret, the only analog I can think of are the various security signs that are used to guarantee the authenticity of banknotes or high end luxury products. For banknotes, a few signs are more or less public but even for those, if you don't know about them you can be surprised the first time someone show them.
–
minarJul 9 '13 at 5:11

Bounty awarded for the highest number of upvotes, accuracy of the physical analogy, and relative simplicity and intuitiveness of the answer (@D.W.'s is slightly simpler, but at the cost of accuracy).
–
Stephen TousetJul 17 '13 at 22:19

A MAC is a shipping note or delivery note, which comes in a locked box.

You need a key to open it, otherwise you can't see its content, and it has the be the same key as the one used by the sender. Inside, there is a description of something else, like "this delivery contains 173 kg bananas and 43 kg apples". If the box is undamaged and can be opened with the correct (previously known) key, then we know what the delivery should contain. If that's equal to the real delivery, we can conclude that it wasn't manipulated.

+1. The only thing this doesn't capture is the avalanche effect, whereby a small change to the contents of the delivery doesn't lead to a large (or any) change to the representation of the delivery (the delivery note). The description could be any representation of the contents, e.g. photographs, textual, a wax model...
–
MichaelJul 13 '13 at 17:42

Eh, how is this different from my answer? You've just replaced photo by description and that's it...
–
Maarten BodewesJul 15 '13 at 21:57

The difference is, that a photo is not necessarily an exact description of the box. Photos always have information loss (2D vs 3D) and small errors cant be detected (1000 beans or 1001 beans?).
–
tyloJul 25 '13 at 9:41

Here is a decent analogue: a hidden watermark on paper, activated chemically perhaps. Maybe the watermark is a pattern of dots. Anyone with knowledge of the watermark and how to activate it could verify the authenticity of the document, whereas anyone without knowledge would not be able to. I assume bank notes in real life have similar watermarks, although that is purely speculation.

Here's another possible analogy: suppose you had an item in a clear acrylic display case that had a built-in lock, specifically one of those locks that required it to be locked with the key itself. Example:

Then someone without the key, upon coming across this case, could not verify that it was locked with a specific key, though they would know it was locked with some key. Someone with the "real" key could simply try to unlock the case, and if they succeeded, well, there you go.

This fits relatively well with a real MAC: the theoretical "algorithm" would be to use a case with the corresponding key(s). An attacker without the key cannot easily alter the document in question without alerting the key-bearer(s): any sort of brute-force physical attack on the case would likely leave marks on the case (e.g., saws, acid, etc.) The only exception would be lockpicking, but many physical analogues for other cryptographic primitives suffer from lockpicking too, so we'll ignore it.

There are a few inconsistencies, however: in a real cryptographic primitive, if the attacker has no knowledge of the scheme, the attacker may not necessarily know that a particular value is indeed a MAC tag. With the display case, however, it is quite clear that the document in question is protected, no matter how little an attacker knows. Further, with a real MAC, if you don't possess the key, you cannot verify the authenticity of the item in question. With the acrylic display case, you can pretty much look at it and figure out whether or not an unauthorized party has modified it: maybe someone took a bandsaw to the hinges to remove the door. That'd be pretty hard to miss.

On the other hand, as a third party looking at the display case, you don't necessarily know who have keys, so a bit of subterfuge could go unnoticed. Anyway, despite giving this matter a fair bit of thought, I have yet to come up with a better physical analogue, so take this as you will.

But then everyone who is able to check the watermark should be also able to produce her own one.
–
Paŭlo Ebermann♦Jul 9 '13 at 19:58

@PaŭloEbermann: Well... I suppose I was thinking along the lines of if you knew a secret watermark was there, then you could create the watermark (or have a professional do it, I guess). The locked-case analogy is probably better.
–
ReidJul 9 '13 at 20:24

@PaŭloEbermann: Yes, that's how most MACs work -- everyone who can check the MAC can also produce their own. When teaching people about MACs, we want the physical analogue to have the same flaws as the actual MAC.
–
David CaryJul 13 '13 at 14:48

@DavidCary I know how a MAC work, but creating a watermark is a lot more difficult than checking it, even if you know the "secret". At least from my understanding of "watermark". And this breaks the analogue.
–
Paŭlo Ebermann♦Jul 14 '13 at 10:35

@Reid -- you have two pretty good ideas here; I wish you had posted them as two separate answers, so that the "better one" (whichever that may be) would float to the top. +1 anyway.
–
David CaryJul 15 '13 at 20:40

Consider a combination lock, where Alice and Bob know the secret combination. Alice can send Bob a message by writing down her message on a piece of paper, putting the piece of paper inside a metal chest, and locking the chest with the padlock. Then, Alice sends the chest by courier to Bob. Now Bob, who knows the combination, can open the combo lock and read Alice's message. No one else will be able to tamper with the message, since they don't know the combination to the lock. For example, the courier cannot tamper with the integrity of the message, since the courier doesn't know the combination. Here the secret combination plays the role of the MAC key.

If you want the analogy to be slightly closer to a MAC, make it a transparent chest (with no slits or openings in it), so anyone can see through the chest but can't touch or tamper with the paper inside.

I disagree, a MAC can only detect tampering but not prevent it - unlike the padlock.
–
orlpJul 12 '13 at 19:54

Your transparent chest has a slit in the top, so you actually can tamper by adding more messages inside ... kinda like a length extension for a bad MAC.
–
Paŭlo Ebermann♦Jul 14 '13 at 10:36

@PaŭloEbermann, that was the best picture I could find. I intend the chest to have no slits, but I couldn't find a picture of such a thing.
–
D.W.Jul 14 '13 at 18:30

1

As I interpreted the answer, the MAC is the padlock on the box. It ensures that the message inside has not been tampered with by someone that does not possess the combination / key. Typically a MAC is sent with the data to be verified, and that data can be viewed without restriction.
–
Stephen TousetJul 16 '13 at 15:43

1

To be fair, I think your solution is technically slightly more accurate (there are no restrictions on modifying the contents protected by the MAC, for example). But I also appreciate the simplicity and intuitiveness that this answer provides. They're both great answers.
–
Stephen TousetJul 16 '13 at 15:45

A physical analog to a MAC would be a numbered tamper-evident seal, such as a tag used to ensure the cargo door of a truck remains closed. Such seals cannot be removed without leaving visible damage to the seal. They are uniquely numbered by a trusted seal manufacturer, who provides assurance that no two tags have the same identifying markings.

When a trucker accepts a shipment, the shipper takes a new tamper-evident seal of his own, writes the number on the cargo manifest, signs the manifest, then puts their product and manifest in the cargo area of the truck*. They then wrap the seal around the door latch on the outside of the truck and fasten it securely so the doors cannot be opened without damaging the seal. The trucker then drives the load away. When the trucker reaches his destination, the recipient examines the tag for damage, then breaks the seal and opens the truck door. He then checks that the number of the seal matches the number printed on the cargo manifest. The undamaged seal provides assurance that nobody including the trucker had access to the goods the shipper originally put in the truck.

A seal provides assurances similar to those provided by a MAC:

The shipper buys their seals from a trustworthy company that promises
to sell seals in the range of 1000 to 2000 only to John's Widget Co.
This provides the authentication that it was John's Widget Co that bought the seal and
sealed the truck shut and not someone else. A MAC uses a shared secret known only to the sender and receiver, and couldn't have been created by someone else.

The number on the tag proves that this exact truckful of stuff matches the number on the manifest, meaning someone didn't swap a sealed truck substituting "John's Cheap Widgets" for "John's TopShelf Widgets". The MAC tells the recipient that this message is the one that was protected, and not just any old message from the sender.

The tamper-evident nature of the seal proves that nobody opened the truck, just as a MAC proves that nobody changed the message.

The seal provides no physical protection against theft or tampering because it's not a lock, just as a MAC doesn't stop anyone from reading or changing the message. It just tells the recipient when tampering occurred.

The numbers on the seal don't tell anyone about the contents of the truck, just as a MAC doesn't reveal the contents of the message it's protecting.

* In reality, a shipping manifest is usually sent under separate cover, which is a significant difference between a MAC and a signed manifest sealed inside the truck.

Your tamper-evident seal can be verified by anyone. Imagine that I am evil and decide to steal "John's TopShelf Widgets" straight out of the truck, but I wish to ensure they're the real-deal and haven't been tampered with. I can do this quite easily using the procedure you described. Further, your seal analogy also provides secrecy in that cargo areas aren't transparent. And lastly, your scheme has the odd property that the "MAC" can only be verified once; after the tamper-evident seal is broken, the cargo can no longer be trusted without a new seal.
–
ReidJul 15 '13 at 23:21

1

@Reid, I'm trying to answer the question, which is to provide a physical analogy to a MAC to explain the concept to non-cryptographers. People know a seal only provides assurance that the cargo wasn't tampered with, and that it's not a lock or vault that stops someone from stealing the cargo. But it's only an analogy, it's not a perfect example. Getting into the fine details where the analogues differ, like "transparent cargo areas" and "verify only once", won't add to the non-cryptographer's understanding.
–
John DetersJul 16 '13 at 13:40

Ignoring the whole transparency/verify-only-once thing, my primary point was that in this scheme, anyone can authenticate the cargo, not just some trusted receiver. This makes this analogue more like a signature and less like a MAC, and the difference between the two is (I think) a point of confusion for many novices. I realize that no analogue is perfect, but capturing the requirement for key possession is pretty essential in my opinion...
–
ReidJul 16 '13 at 16:49

The seal number is written on the manifest and is sealed in the truck. You can validate the seal is legitimate only by tampering with it and opening the truck. You can tell from the outside only that a seal exists, not that it's the legitimate seal placed by John's Widget Co. , or that the truck contains deluxe widgets. Outward behavior is otherwise pretty similar to a MAC.
–
John DetersJul 16 '13 at 18:10

A MAC Scheme for Optical Lenses

MACs provide authentication over arbitrary bitstrings, but there is no decent hash function for arbitrary physical objects. I believe that dropping the goal of trying to be a general purpose "any physical object" MAC, you can get much closer to meeting the properties of a cryptographic MAC.

Here is a physical analogue of a MAC for optical lenses. I've imagined a world where there is a need to be able to verify the integrity of lenses sent from place to place, with analogous developments to what has happened in crypto.

Public Algorithm

There is a publicly known mechanism for validating MACs over lenses - a standard jig containing mirrors and lasers into which you place the lens, and a paper holder (lets say it's A4). Manufacturers can sell you certified jigs that are know to meet the standard.

The jig is designed such that the laser beams pass through the lens multiple times as they bounce around the mirrors, before finally shining on the paper (or hitting another non-reflective part of the jig).

The jig design is critical to the security of the system - many jigs were designed in the old days that had weaknesses allowing attackers to break the scheme. Jigs these days are typically developed by academics, then standardised by national bodies as a result of a competition comparing security, size and ease of use (speed) across the entrants.

Secret Key

Sender and receiver share a secret: a particular configuration of lasers and mirrors (which positions all of the mirrors and lasers are in, potentially which lasers are on or off).

There is a finite but very large set of valid configurations (which means that the jig supports lasers being in one of a set positions, not an analogue configuration). An example configuration might be specified as: Laser n; position. Mirror n; position. L1:45; L2:0; L3:90; L4:20; ... L15:0; M1:45; M2:80; ... M10:90.

(There are some weak keys, e.g. very short ones, all zeros, and more subtle issues like setups that typically lead to null MACs. The algorithm specifies constraints for constructing strong keys.)

Verification

Sender dispatches a lens (the message) to the receiver, alongside a piece of paper with some dots on it (the MAC).

The receive puts the lens into the jig (the algorithm), sets up the mirrors and lasers according to the shared secret configuration (key input), and slots the paper into its holder (MAC input).

When the lenses are on, if each dot on the paper is illuminated by a laser (and there are no lasers shining onto the paper where there are no dots), then the MAC is verified and the receiver knows that they have received the correct lens.

Generation

This is an analogue of a symmetric MAC scheme - generation follows the same process as verification, but blank paper is used and the position of the dots are recorded rather than checked.

Comparison to MAC Properties

Avalanche Effect

Provided the algorithm (jig) is well defined, a small change to the lens will lead to a large change to the MAC, as each laser beam passes through the lens a number of times at multiple different points: by the time it hits the paper a small change in the lens will have a large change in the position of the spots in the paper.

(c.f. pictures or other representations of messages).

Detection not prevention

The MAC does nothing to stop an attacker swapping out or altering the lens or MAC - it just alerts the receiver to the change.

Deriving the key from example valid message:MAC pairs

(c.f. wax seals, signatures, key or combination locks that can be disassembled)

Existential Forgery

Without knowing the secret key, there is no practical way for an attacker to create a valid MAC for their lens.

(c.f. locks that open whatever key you insert / combination you put in)

Chosen Plaintext Attack

A cryptographic MAC should be resistent to attack even if the attacker has access to an oracle that will produce valid MACs for arbitrary plaintexts (Chosen Plaintext Attack).

This scheme is not as resistant as you would like under these circumstances - the null message of a non-distorting lens reveals more information about the secret key than is ideal. It doesn't immediately reveal the key provided the jig (algorithm) is well designed, but you could imagine a small set of well chosen lenses that could give the attacker a significant advantage.

So users of this scheme need to try and avoid providing attackers access to an oracle of this kind - something you try to avoid in a real cryptosystem too!

Does Not Reveal The Message

If you want to also put the lens in a strongbox and ship the MAC outside the box, the MAC doesn't reveal much useful information about the lens without knowing the key.

The purpose of this question was for explaining MACs to non-technical people in a way that makes intuitive sense. That said, this is extremely interesting, something I had no idea that existed, and is actually a very accurate physical analogue. So while I don't think it's a good fit in terms of the specific intent of the question, it's still a great and intriguing answer. Have an upvote!
–
Stephen TousetJul 17 '13 at 22:16

@stephen Fair point, it does take a bit of thinking about. I think it could work for any scientifically minded person with no knowledge of crypto. Just to clarify in case there's any doubt: I completely made all this up.
–
MichaelJul 17 '13 at 23:03

Oh, the way you had written it, it sounded as if this was something that actually existed.
–
Stephen TousetJul 17 '13 at 23:10

If a wax seal is an analogue for a signature, then there's also an implication of authentication in it - i.e. the integrity of the wax seal indicates whether the message had been opened, giving a reasonable assertion that the message has not been tampered with.

By extension, other methods of sealing messages such as placing them in envelopes (which can be inspected to see show signs of being opened) can be viewed to authenticate the contents.

Simply placing a message in an envelope doesn't have similar semantics to MACs. With a MAC, only people who possess the secret can authenticate message. And anyone with the secret can generate an authenticator for any message.
–
Stephen TousetJul 9 '13 at 2:24

Yeah, an envelope is more analogous to a message integrity code.
–
archieJul 9 '13 at 3:20

This fails the analogue as the stamping is easier to check (and actually should be easier to check) than to create. It is more alike to a (digital) signature.
–
Paŭlo Ebermann♦Jul 14 '13 at 10:39

the point of finding an analogy is to easier to explain the idea and not to have a feature-by-feature mapping of MAC and physical item. This process is actually done in real world , even today to check authenticity and integrity , you can see it in your currency bill and govt papers
–
doesnt_matterJul 14 '13 at 20:37

Your handwriting could be a strong indication that the message was written by you, although that's not unforgeable.

You can also use personal references or references to earlier, secure communications you had with that person (i.e. meet me at the cafe where we first met).(got confused with authentication here)

Another option would be to use custom-made or rare ink. The recepient can later use chromatography (with varying degrees of accuracy depending on the budget) to at least give a good indication that parts of the message were not altered. For example, scan the paper (to keep the contents), cut it in strips and dunk them in a bowl of water and observe the rainbow.

Or you can agree on some secret value (or group of values) $S$, assign a value to each letter and say the XOR of all letters is $S$. You can then add content to meet the target. Writing the code for this would also be an interesting excercise.

The first and second ones are an analogue of an asymmetric scheme, not a symmetric one. The third is not much of a physical analogue, not something easily explained to a layperson, and unless done for extremely large values of $S$, prone to accidental collisions.
–
Stephen TousetJul 17 '13 at 16:11

What I mean in the first is that it's (supposedly) easy to spot inconsistencies in writing style. With the second, I agree. The third is indeed a bit technical. The XOR method (assuming the latin alphabet) has a 1/52 chance of collision per message (small and capital letters). You could add punctuation to the tally but it's still a bit risky. It should be OK for low traffic and any alteration would almost certainly change the sum.
–
rathJul 17 '13 at 16:16